From owner-freebsd-questions Fri Mar 19 22:10:17 1999 Delivered-To: freebsd-questions@freebsd.org Received: from mailhost1.attcanada.net (mailhost1.attcanada.net [206.191.82.42]) by hub.freebsd.org (Postfix) with ESMTP id 20DEF14EFB for ; Fri, 19 Mar 1999 22:10:15 -0800 (PST) (envelope-from j.yeo@attcanada.net) Received: from upstairs ([142.194.55.178]) by mailhost1.attcanada.net (InterMail v03.02.07 118 124) with SMTP id <19990320060425.BYY29950@upstairs>; Sat, 20 Mar 1999 06:04:25 +0000 Message-ID: <012901be7298$a17be780$0a64a8c0@upstairs.gvsa1.bc.wave.home.com> From: "Jeff Yeo" To: "Jeff Yeo" , "'freebsd-questions@freebsd.org'" , "Ludwig Pummer" Subject: Re: ipfw rule blocking connection Date: Fri, 19 Mar 1999 22:11:36 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.5 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > >When you're using natd, you have to remember that packets get sent to natd >by a certain divert rule in your ipfw. Before that rule, the destination >address will be your outside Internet IP. NATD does its work and reinjects >the packet. The divert rule gets skipped. > ... stuff deleted ... >My rc.firewall using the 'OPEN' firewall type: > >$OIP is my outside Internet IP address. > >#$fwcmd add 2000 divert natd all from any to any via vx0 >$fwcmd add 4000 deny log all from $OIP to $OIP in via vx0 >$fwcmd add 4010 deny log all from 172.16.0.0/12 to any in via vx0 >$fwcmd add 4020 deny log all from 192.168.0.0/16 to any in via vx0 >$fwcmd add 4030 deny log all from 10.0.0.0/8 to any in via vx0 >#^-- disallow spoofers spoofing over cable modem interface >$fwcmd add 5000 deny log tcp from any to $OIP 137,138,139 in via vx0 >$fwcmd add 8000 divert natd all from any to any via vx0 >$fwcmd add 10000 deny log tcp from any to $OIP pop2,pop3,imap via vx0 >$fwcmd add 65000 pass all from any to any > ... more stuff deleted ... >If you take a look, I block RFC 1918 subnets before NATD does its magic, so >the destination IPs of traffic coming in via vx0 is still my $OIP address. BTW, it isn't the "from 192.168.0.0/16 to any via ${oif}" rule that is causing me problems, it is the "from any to 192.168.0.0/16 via ${oif}" rule. I thought of moving the rule order, and tried moving the offending rule before the natd rule in /etc/rc.firewall. The blocking rule: 00050 deny ip from any to 192.168.0.0/16 via ${oif} was first in the list and the natd rule: 00100 divert natd ip from any to any via ${oif} was second in the list. Incoming packets were still blocked. I used tcpdump to look at the traffic on my external interface, and not a 192.168.x.x to be seen in either direction. Hence my consternation. (I suppose I should have mentioned this in my first post, but it seemed long enough as it was.) To be certain, I tried again tonight. This time I moved the natd rule after the RFC1918 rules. I changed my deny all from 192.168.0.0/16 to any via ${oif} to deny all from 192.168.0.0/16 to any in via ${oif}" as you suggested, but was still blocked by deny all from any to 192.168.0.0/16 via ${oif} As before, tcpdump indicates that there are no 192.168.x.x addresses on the external interface. I should add that I do see incoming packets from the remote site, but they have the firewall's external IP address (as they should with natd). Have I misunderstood something? Jeff To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message